@raishin/vanguard-frontier-agentic 3.0.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,127 @@
1
+ # Review Workflow and Findings Contract
2
+
3
+ Use this reference for the step-by-step review procedure, the decision tree across all
4
+ five defect classes, and the required output shape. Load the two domain references only
5
+ for the specific defect class the code under review actually raises.
6
+
7
+ ## Prerequisites
8
+
9
+ - Read `package.json` / `nuxt.config.ts` to confirm the Nuxt major (3 vs 4) — API names
10
+ and defaults are stable across 3/4 for everything this skill covers, but confirm
11
+ before citing version-specific behavior.
12
+ - Identify the review surface: `nuxt.config.ts` (`runtimeConfig`, `routeRules`,
13
+ `modules`), any `composables/`, `plugins/`, `server/api/`, `server/routes/`,
14
+ `server/middleware/` files, and any template/component using `useState`/`v-html`.
15
+
16
+ ## Workflow
17
+
18
+ 1. **Read `nuxt.config.ts`'s `runtimeConfig` block in full.** Classify every key as
19
+ private (top-level, server-only) or public (nested under `public`, or `app`).
20
+ For every public key, ask whether its name/default value suggests a secret. See
21
+ `references/runtime-config-and-cross-request-state.md`, Part 1.
22
+ 2. **Grep for `NUXT_PUBLIC_*` and other `NUXT_*` env var names** in `.env*` files and
23
+ deployment config; map each back to the `runtimeConfig` key it overrides and confirm
24
+ the public/private classification holds.
25
+ 3. **Enumerate module-scope declarations reachable from server-rendered code.** Grep
26
+ `composables/`, `plugins/`, `server/api/`, `server/middleware/` for `useState(`,
27
+ `ref(`, `reactive(`, and mutable object/array literals declared outside any
28
+ function body. Classify each by mutability/reactivity and reachability. See
29
+ `references/runtime-config-and-cross-request-state.md`, Part 2.
30
+ 4. **Enumerate every server-route outbound `$fetch`/`ofetch`/`event.$fetch`/
31
+ `useRequestFetch` call.** Trace the destination URL to its origin; trace which
32
+ headers are forwarded (via `event.$fetch`'s default context propagation,
33
+ `useRequestHeaders(...)`, or manual header spreading) and to where. See
34
+ `references/ssrf-payload-and-response-headers.md`, Part 1.
35
+ 5. **Enumerate `useState`/payload values that carry user-controlled or user-echoed
36
+ content**, and trace them forward to any eventual `v-html`/HTML-injection sink.
37
+ Separately check for any custom `definePayloadReducer`/`definePayloadReviver` logic
38
+ that bypasses Nuxt's own `devalue`-based serialization. See
39
+ `references/ssrf-payload-and-response-headers.md`, Part 2.
40
+ 6. **Check for a security-header mechanism**: `routeRules` `headers` entries, a
41
+ security module in `modules`, or `useResponseHeader(...)` calls, and confirm actual
42
+ route-glob coverage against the app's real surface (auth pages, forms, admin
43
+ routes, embedded third-party content). See
44
+ `references/ssrf-payload-and-response-headers.md`, Part 3.
45
+ 7. **Produce ranked findings** using the output contract below.
46
+
47
+ ## Decision tree
48
+
49
+ - A key under `runtimeConfig.public` (or fed by a `NUXT_PUBLIC_*` env var) holds a
50
+ secret, credential, or internal-only value → **HIGH**, `runtimeConfig-exposure`.
51
+ - A private `runtimeConfig` key is re-exported into a public-scoped value elsewhere
52
+ in the app → **HIGH**, `runtimeConfig-exposure`.
53
+ - A private `runtimeConfig` key stays private and is consumed only server-side → not
54
+ a finding (rubric item 9).
55
+ - `runtimeConfig.public.*` holds a genuinely non-secret value (base URL, feature
56
+ flag) → not a finding (rubric item 10).
57
+ - `useState`/`ref`/`reactive`/a mutable object is declared at true module scope
58
+ (outside any function) and is reachable from server-rendered code → **HIGH**,
59
+ `cross-request-state-pollution`, structural, regardless of whether leakage has been
60
+ observed.
61
+ - Same declaration is invoked inside a composable/`setup()`/plugin factory body → not
62
+ a finding (rubric item 11), unless that body itself closes over a separate
63
+ module-scope mutable reference (still HIGH in that case).
64
+ - Module-scope declaration is an immutable constant with no runtime mutation path →
65
+ not a finding (rubric item 12).
66
+ - A `server/api`/`server/routes` handler builds its outbound `$fetch`/`ofetch` URL
67
+ (host, path, or query) from user-reachable input with no allowlist → **HIGH**,
68
+ `ssrf`.
69
+ - Outbound URL is hardcoded or validated against an explicit host allowlist → not a
70
+ finding (rubric item 13).
71
+ - A handler forwards `authorization`/`cookie` (via `event.$fetch` defaults,
72
+ `useRequestHeaders`, or manual spreading) to an external or user-influenceable
73
+ destination with no header allowlist → **HIGH**, `credential-forwarding`.
74
+ - `event.$fetch` used to reach an internal Nitro route with no external hop → not a
75
+ finding by itself (rubric item 14); only escalate if sensitive headers are
76
+ forwarded without justification even internally.
77
+ - A `useState`/payload value carrying user-controlled or user-echoed content reaches
78
+ a `v-html` (or equivalent unescaped) sink with no sanitizer call on the traced path
79
+ → **HIGH**, `payload-xss`.
80
+ - Same value's trace terminates at a safe consumer (text interpolation, a sanitizer
81
+ call on the exact path, or no rendering at all) → not a finding, but state this
82
+ explicitly rather than omitting the traced value from the review.
83
+ - No `routeRules` `headers` entry, no security module, and no `useResponseHeader`
84
+ call anywhere cover a route the app actually serves with auth/forms/embeds →
85
+ **MEDIUM-to-HIGH** depending on the app's surface, `missing-security-headers`.
86
+ - A header mechanism exists and its glob coverage includes the routes in scope → not
87
+ a finding (rubric item 15) — but call out any gap in coverage for routes it does
88
+ *not* cover.
89
+
90
+ ## Output contract
91
+
92
+ Every response from this skill must return:
93
+
94
+ 1. **Scope** — the `runtimeConfig`/`routeRules` blocks, module-scope declarations,
95
+ server routes, and/or template bindings reviewed.
96
+ 2. **Ranked findings** — each with file:line, defect category
97
+ (`runtimeconfig-exposure` / `cross-request-state-pollution` / `ssrf` /
98
+ `credential-forwarding` / `payload-xss` / `missing-security-headers`), the
99
+ concrete data-flow trace (declaration and reachability, or origin-to-sink path),
100
+ and a fix sketch matching the patterns in the relevant reference.
101
+ 3. **Evidence level per finding** — `documentation-based` (Context7-confirmed against
102
+ `/websites/nuxt_4_x` or `/websites/nuxt_3_x`), `repo evidence`, or `inference`
103
+ (e.g., third-party module defaults Nuxt's own docs do not enumerate). Label
104
+ structural risk findings as structural risk, not as confirmed-exploited.
105
+ 4. **Verdict** — approve / approve-with-notes / block.
106
+ 5. **Open questions or out-of-scope items** — e.g., "confirming actual cross-request
107
+ leakage requires concurrent-request load testing, not static review," or "the
108
+ `nuxt-security` module's exact default header set is not documented in Nuxt's own
109
+ Context7 sources — confirm its configured `security:` block directly rather than
110
+ assuming defaults."
111
+
112
+ ## When to push back
113
+
114
+ Push back if the user asks to:
115
+
116
+ - approve a `runtimeConfig.public` secret because "it's minified/obfuscated in the
117
+ bundle anyway" — minification is not encryption; the value is trivially readable in
118
+ the browser's network/JS panel,
119
+ - clear a module-scope `useState`/`ref` because "we haven't seen cross-user leakage in
120
+ production" — this defect class is structural and often invisible until concurrent
121
+ load exposes it; absence of a reported incident is not evidence of absence,
122
+ - approve an SSRF-shaped `$fetch` call because "we trust our users" — an allowlist on
123
+ the destination host is the control, not the trust level of the current user base,
124
+ - treat "we sanitize elsewhere" as clearing a specific traced `payload`/`useState` →
125
+ `v-html` path — the sanitizer must be visible on the exact path under review,
126
+ - skip the security-headers check because "we'll add nuxt-security later" — report the
127
+ current gap now; a planned future fix is not a mitigating control today.
@@ -0,0 +1,72 @@
1
+ ---
2
+ name: pci-payment-ui-security-review
3
+ description: Statically review payment-page frontend code for PCI-DSS-relevant defects in the browser/DOM slice only — raw PAN collection in self-controlled inputs instead of Stripe hosted fields, card data persisted client-side or to analytics, raw card data POSTed to a first-party endpoint, and third-party scripts loaded without Subresource Integrity — grounded in Stripe's own tokenization docs and PCI-DSS v4 script-security requirements.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-03"
9
+ category: security
10
+ ---
11
+
12
+ # PCI Payment UI Security Review
13
+
14
+ ## Purpose
15
+
16
+ Review payment-collection frontend code — checkout pages, card-entry forms, and any script loaded on a page that collects cardholder data — for the frontend-specific defect classes that keep raw cardholder data out of the DOM and out of merchant-controlled JavaScript: raw PAN/CVV collection in a self-controlled `<input>` instead of Stripe's iframe-isolated hosted fields, card data persistence to `localStorage`/`sessionStorage`/analytics/logs, raw card data POSTed to a first-party endpoint instead of tokenized first, and third-party scripts loaded on the payment page without Subresource Integrity (SRI). This skill exists so the review stays anchored to the frontend tokenization boundary and script-integrity surface instead of drifting into a general "payments code review."
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a checkout page or card-entry form for PCI-relevant frontend risk,
23
+ - assess whether card-number, expiry, or CVV fields are collected safely (hosted fields vs. raw `<input>`),
24
+ - audit which scripts load on a payment-collection page and whether they carry Subresource Integrity,
25
+ - assess SAQ-A scope reduction claims for a page that outsources card collection to Stripe Elements/Payment Element,
26
+ - perform a pre-launch frontend security review of a Stripe-based payment integration.
27
+
28
+ Do not use this skill for:
29
+
30
+ - a full PCI-DSS compliance audit — this skill covers **only the frontend slice** (client-side script inventory/integrity, hosted-field isolation, tokenization boundary). Server-side cardholder-data-environment (CDE) segmentation, network firewalling, key management, encryption-at-rest, access control, and the remaining PCI-DSS requirement families are out of scope; route those to a dedicated infrastructure/compliance review,
31
+ - a non-payment page with no card-data collection or third-party script surface — general frontend security review is a different scope,
32
+ - a bug that requires live traffic capture (a proxy/network trace confirming what actually left the browser) to confirm exploitation — static analysis proves the structural risk (the code path that *would* expose or persist raw PAN/CVV), not that raw card data has already left the browser in production.
33
+
34
+ ## Context7 Documentation Protocol
35
+
36
+ - Resolve the Stripe library ID with `resolve-library-id` before citing any Stripe Elements/Payment Element or tokenization-mechanism claim; use `query-docs` to corroborate the specific API behavior (e.g., `stripe.createToken(cardElement)`, `stripe.confirmPayment()`, `stripe.confirmCardPayment()`) rather than relying on memory.
37
+ - Label every Stripe-API behavioral claim `documentation-based` (or `repo evidence` if confirmed directly against fetched Context7 doc content) — do not assert current Stripe API shape from training memory alone.
38
+ - Label every PCI-DSS requirement claim (6.4.3, 11.6.1, or the general SAQ-A scope-reduction rationale) `standard-based` — this skill does not verify a merchant's actual PCI compliance status or attestation; it evaluates whether the frontend code matches the documented pattern the standard and Stripe's architecture rely on.
39
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
40
+ - Read `package.json`/script tags first to confirm which Stripe integration is in use (`@stripe/stripe-js` + Elements, `Payment Element`, or a legacy/custom integration) — the safe idiom and API names differ; do not assume Elements is in use without confirming.
41
+
42
+ ## Lean operating rules
43
+
44
+ - Raw PAN/CVV collection outside an iframe-isolated hosted field, and any client-side persistence of raw cardholder data, default to HIGH severity. This is a security-scoped skill: do not downgrade a raw-PAN-in-DOM finding to MEDIUM because "it's only in a dev/staging build" — the structural pattern is the risk, not its current deployment target.
45
+ - Trace every finding to a concrete file:line and a concrete data-flow path. A finding that says "this form might expose card data" without showing the specific `<input>` element, the specific `.value` read, or the specific POST body construction is not a valid finding — it is a guess.
46
+ - Do not flag `<CardNumberElement />`, `<CardExpiryElement />`, `<CardCVCElement />`, or `<PaymentElement />` usage as a defect — these are Stripe's iframe-rendered hosted fields; the PAN/CVV they collect stays inside iframes controlled by Stripe and is never accessible to merchant JavaScript. Only a self-controlled `<input>` (e.g., `<input type="text" id="cardnumber" />`) that application JS reads via `.value` is the raw-pan-input defect.
47
+ - Treat any `localStorage`, `sessionStorage`, in-memory app store, or analytics/logging call that could carry a PAN, CVV, or full cardholder data payload as a HIGH finding regardless of whether the value is currently populated in the traced code path — check the shape of the object being persisted, not just its current runtime value.
48
+ - Treat a first-party POST (`fetch`/`XMLHttpRequest`/form submit to a first-party endpoint) carrying raw card fields (PAN, CVV, expiry) as a HIGH finding. The safe pattern tokenizes first via the Stripe API (`stripe.createToken(cardElement)` or the Payment Element confirmation flow) and POSTs only the resulting token or PaymentIntent/PaymentMethod ID to the first-party endpoint.
49
+ - Treat any third-party `<script src="...">` loaded on a payment-collection page without an `integrity` attribute (Subresource Integrity, e.g. a `sha256-` hash) as a finding — cite PCI-DSS v4 requirement 6.4.3 (script inventory, script authorization, and integrity control) as the standard-based grounding. Do not accept "we trust this vendor" as a substitute for a visible integrity attribute or equivalent cryptographic verification.
50
+ - Stripe's hosted fields (`CardNumberElement`, `CardExpiryElement`, `CardCVCElement`, `PaymentElement`) render inside sandboxed iframes controlled by Stripe, not merchant code — the browser's same-origin policy and the iframe sandbox boundary are what keep merchant JavaScript from ever reading raw PAN/CVV values. A missing-iframe-isolation finding applies when card fields are collected via manual `<input>` elements with no sandboxed hosted-field equivalent in use.
51
+ - When reviewing broader payment-page change-detection posture, note PCI-DSS v4 requirement 11.6.1 (automated change-detection/alerting for unauthorized script modification on payment pages) as a standard-based expectation — but do not fabricate a finding about a change-detection mechanism you cannot observe in the frontend code under review; note it as an open question instead.
52
+ - Never execute, build, or run application code, and never send live requests, as part of this review; this is a static-review skill (Read/Grep/Glob only).
53
+ - Load only the reference needed for the concern in scope.
54
+
55
+ ## References
56
+
57
+ Load these only when needed:
58
+
59
+ - [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the defect decision tree, and the required output shape.
60
+ - [Hosted fields and tokenization boundary](references/hosted-fields-and-tokenization.md) — load when reviewing card-entry form markup, `raw-pan-input`, `card-data-persistence`, or `self-posted-card-data` defect classes.
61
+ - [Script integrity and SAQ-A scope reduction](references/script-integrity-and-scope.md) — load when reviewing third-party script tags for Subresource Integrity, or assessing whether a page's use of hosted fields plausibly supports SAQ-A scope-reduction claims.
62
+
63
+ ## Response minimum
64
+
65
+ Return, at minimum:
66
+
67
+ - the payment-collection page(s), card-entry form markup, script tags, and/or client-side persistence/network calls in scope,
68
+ - ranked findings with file:line evidence, defect category (`raw-pan-input`, `card-data-persistence`, `self-posted-card-data`, `unsigned-third-party-script`, or `missing-iframe-isolation`), the concrete data-flow trace (the raw `<input>`/`.value` read, the `localStorage`/analytics call, the POST body construction, or the missing `integrity` attribute), and a fix sketch matching Stripe's documented idiom (`CardNumberElement`, `PaymentElement`, `stripe.createToken`, or an `integrity`/SRI attribute),
69
+ - for every finding involving PAN/CVV/cardholder data exposure, an explicit statement of whether the value stays inside a Stripe-controlled iframe (safe) or is reachable by merchant JavaScript (unsafe) — never approve on the assumption isolation exists without tracing it,
70
+ - evidence level per finding (`repo evidence`, `documentation-based`, `standard-based`, or `inference`), with structural risk findings explicitly labeled as structural risk, not as confirmed-exploited or confirmed non-compliant,
71
+ - verdict (approve / approve-with-notes / block),
72
+ - open questions or scope the review could not cover — explicitly restate that this is **not a full PCI-DSS audit**: server-side cardholder-data-environment segmentation, key management, network controls, and non-script requirement families are out of scope and require a dedicated compliance/infrastructure review.
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "pci-payment-ui-security-review",
3
+ "name": "PCI Payment UI Security Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews payment-collection frontend code for the PCI-DSS-relevant frontend defect classes: raw PAN/CVV collection in self-controlled inputs instead of Stripe hosted fields, card data persisted client-side or to analytics, raw card data POSTed to a first-party endpoint before tokenization, and third-party scripts loaded without Subresource Integrity — grounded via Context7 Stripe documentation and PCI-DSS v4 script-security requirements (standard-based).",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://docs.stripe.com/js/elements_object/create",
18
+ "https://docs.stripe.com/security/guide#validating-pci-compliance",
19
+ "https://www.pcisecuritystandards.org/document_library/",
20
+ "https://www.pcisecuritystandards.org/documents/SAQ-A-r2-v4_0.pdf"
21
+ ],
22
+ "security_notes": "This skill's entire scope is security-critical: raw PAN/CVV collection outside a Stripe-controlled iframe, client-side persistence of cardholder data, and unsigned third-party scripts on payment pages are all cardholder-data-exposure or code-tampering vectors. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence of iframe isolation, tokenization-before-POST, or a visible integrity attribute. This is the FRONTEND slice of PCI-DSS only — it is NOT a full PCI-DSS audit; server-side cardholder-data-environment segmentation, network controls, and key management are explicitly out of scope. Static-review-only skill: it reads and greps payment-page source but never executes, builds, or runs application code, and never sends live requests.",
23
+ "last_verified": "2026-07-03",
24
+ "path": "skills/frontend/pci-payment-ui-security-review",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }
@@ -0,0 +1,107 @@
1
+ # Hosted Fields and the Tokenization Boundary
2
+
3
+ Use this reference when reviewing card-entry form markup, or investigating the `raw-pan-input`, `card-data-persistence`, or `self-posted-card-data` defect classes.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive assumption is:
8
+
9
+ > "As long as I send the card data over HTTPS to my own server, it's protected in transit, so a plain `<input>` for the card number is fine."
10
+
11
+ Wrong for PCI-DSS purposes. Transport encryption protects data in transit between the browser and the first-party server, but it does nothing to prevent the merchant's own JavaScript — or a compromised/malicious third-party script sharing the page — from reading the raw PAN/CVV the instant it sits in a DOM `<input>` or in memory as a plain JS value. The entire architectural point of Stripe's hosted fields is to remove that reachability, not merely to encrypt what is already reachable.
12
+
13
+ ## Officially grounded tokenization flow (Context7 Stripe documentation)
14
+
15
+ - `stripe.createToken(cardElement)` converts data collected by Stripe Elements into a **single-use token**, passed securely to the server — the merchant's own code never handles the raw values that produced the token.
16
+ - Raw card data (PAN, CVV) collected by `CardNumberElement`, `CardExpiryElement`, and `CardCVCElement` stays **inside iframes controlled by Stripe**, never accessible to merchant JavaScript.
17
+ - `stripe.confirmPayment()` and `stripe.confirmCardPayment()` tokenize directly as part of confirming the PaymentIntent, without ever exposing raw values to the page.
18
+ - The merchant receives only the token, or the PaymentIntent/PaymentMethod confirmation result — never the raw card data itself.
19
+ - **Key architectural guarantee:** Elements render inside sandboxed iframes; merchant code never sees or touches the PAN or CVV. The browser's same-origin policy prevents scripts on the merchant page — including the merchant's own code and any co-located third-party script — from reading iframe content.
20
+
21
+ ## Defect class 1: `raw-pan-input`
22
+
23
+ Raw PAN collection in a self-controlled `<input>` element.
24
+
25
+ - **Dangerous:** `<input type="text" id="cardnumber" />` with application JS reading `.value` to obtain the card number. The moment card-number digits exist as a plain string in application-reachable memory or the DOM, they are reachable by merchant JS, any injected script, and any browser extension with page access.
26
+ - **Safe:** `<CardNumberElement />` (iframe-rendered by Stripe; no app JS access to the value inside).
27
+ - **Verification targets:** Grep for `<input` elements with `type="text"`/`type="number"`/`name`/`id` attributes suggestive of card fields (`card`, `pan`, `cardnumber`, `ccnum`), and confirm whether the surrounding component imports and uses `CardNumberElement`/`PaymentElement` instead, or reads `.value` directly from a raw input.
28
+
29
+ ## Defect class 2: `missing-iframe-isolation`
30
+
31
+ No iframe/hosted-field isolation for card-data collection generally (PAN, CVV, *or* expiry).
32
+
33
+ - **Dangerous:** Manual `<input>` fields for PAN, CVV, and/or expiry with no iframe sandboxing — a homegrown card form.
34
+ - **Safe:** `<CardNumberElement />`, `<CardExpiryElement />`, `<CardCVCElement />`, or the unified `<PaymentElement />`, all of which render inside a sandboxed iframe boundary that the merchant page cannot reach into.
35
+ - This is the broader structural finding that `raw-pan-input` is one specific instance of — flag it whenever *any* of the three card fields (not just the PAN) is collected outside a hosted field.
36
+
37
+ ## Defect class 3: `card-data-persistence`
38
+
39
+ Card data persisted to a client-side store, `localStorage`/`sessionStorage`, analytics, or logs.
40
+
41
+ - **Dangerous:** `localStorage.setItem('card', {pan, cvv, exp})`, a Vuex/Redux/Pinia `store` action that commits raw card fields to persisted state, or an analytics event (`analytics.track('checkout_attempt', {cardNumber, cvv})`) that includes cardholder data fields.
42
+ - **Safe:** Persist only the tokenized `paymentMethod` ID (e.g., `store.commit('setPaymentMethod', paymentMethod.id)`) — never raw PAN, CVV, or full cardholder data.
43
+ - **Verification targets:** Grep for `localStorage.setItem`/`sessionStorage.setItem` calls, and for `store`/state-management writes and analytics/logging calls, in files reachable from the payment form. For each match, inspect the literal object shape being persisted for PAN- or CVV-shaped fields, even under generic key names — a field literally named `PAN` or `CVV`, or one holding a 13–19 digit numeric string or 3–4 digit CVV pattern, is the signal to trace, regardless of the variable name chosen.
44
+
45
+ ## Defect class 4: `self-posted-card-data`
46
+
47
+ Raw card fields POSTed to a first-party endpoint.
48
+
49
+ - **Dangerous:** `fetch('/api/pay', {body: {pan, cvv, exp}})` — raw card fields constructed directly into a POST body and sent to the merchant's own `/api/pay` first-party endpoint, with no tokenization step beforehand.
50
+ - **Safe:** `stripe.createToken(cardElement).then(token => fetch('/api/pay', {body: {token: token.id}}))` — the Stripe API tokenizes first; only the resulting token is POSTed to the first-party endpoint.
51
+ - **Verification targets:** Grep for `fetch(`/`XMLHttpRequest`/form `action=` submissions targeting a first-party API path from payment-form components. For each, trace the request body's construction backward: does it reference raw card fields (`pan`, `cardNumber`, `cvv`, `exp`), or does it reference a token/PaymentIntent/PaymentMethod object produced by a preceding Stripe API call?
52
+
53
+ ## Minimal safe implementation pattern
54
+
55
+ ```jsx
56
+ // Safe: hosted fields + tokenize-before-POST
57
+ import { CardNumberElement, CardExpiryElement, CardCVCElement, useStripe, useElements } from '@stripe/react-stripe-js'
58
+
59
+ function CheckoutForm() {
60
+ const stripe = useStripe()
61
+ const elements = useElements()
62
+
63
+ async function handleSubmit(e) {
64
+ e.preventDefault()
65
+ const cardElement = elements.getElement(CardNumberElement)
66
+ // Raw PAN/CVV never leave the Stripe iframe; only a token is produced.
67
+ const { token } = await stripe.createToken(cardElement)
68
+ // Only the token is persisted or sent to the first-party endpoint.
69
+ await fetch('/api/pay', { method: 'POST', body: JSON.stringify({ token: token.id }) })
70
+ }
71
+
72
+ return (
73
+ <form onSubmit={handleSubmit}>
74
+ <CardNumberElement />
75
+ <CardExpiryElement />
76
+ <CardCVCElement />
77
+ </form>
78
+ )
79
+ }
80
+ ```
81
+
82
+ Anti-pattern (do not approve):
83
+
84
+ ```html
85
+ <!-- WRONG: raw PAN/CVV in a self-controlled input, read directly by app JS -->
86
+ <input type="text" id="cardnumber" />
87
+ <input type="text" id="cvv" />
88
+ <script>
89
+ function submitPayment() {
90
+ const pan = document.getElementById('cardnumber').value
91
+ const cvv = document.getElementById('cvv').value
92
+ localStorage.setItem('lastCard', JSON.stringify({ pan, cvv })) // card-data-persistence
93
+ fetch('/api/pay', { method: 'POST', body: JSON.stringify({ pan, cvv }) }) // self-posted-card-data
94
+ }
95
+ </script>
96
+ ```
97
+
98
+ ## Adversarial checklist
99
+
100
+ Before clearing a payment form as safe on the tokenization boundary, answer these:
101
+
102
+ - Is card number, expiry, and CVV collection fully delegated to `CardNumberElement`/`CardExpiryElement`/`CardCVCElement`/`PaymentElement`, or does any field use a manual `<input>`?
103
+ - Does any code path read `.value` from a manual card-shaped input?
104
+ - Does any `localStorage`/`sessionStorage`/store/analytics/log call persist an object containing PAN-, CVV-, or cardholder-data-shaped fields?
105
+ - Does the first-party POST body reference raw card fields, or does it reference only a Stripe token/PaymentIntent/PaymentMethod ID produced by a preceding `stripe.createToken`/`stripe.confirmPayment`/`stripe.confirmCardPayment` call?
106
+
107
+ If any answer reveals raw PAN/CVV reachable by merchant JS at rest, in a POST body, or in persisted state, the finding is HIGH and structural — report it even without a reproduced data-exfiltration incident.
@@ -0,0 +1,66 @@
1
+ # Script Integrity and SAQ-A Scope Reduction
2
+
3
+ Use this reference when reviewing third-party script tags loaded on a payment-collection page for Subresource Integrity, or when assessing whether a page's architecture plausibly supports an SAQ-A scope-reduction claim.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive assumption is:
8
+
9
+ > "This third-party script is from a well-known vendor's CDN over HTTPS, so it's safe to load on the checkout page."
10
+
11
+ Wrong for PCI-DSS purposes. HTTPS protects the script in transit from the CDN to the browser; it does not protect against the CDN itself being compromised, the vendor's build pipeline being compromised, or a supply-chain attack that swaps the script's content while its URL stays identical (the class of attack behind real-world Magecart-style card-skimming incidents). Subresource Integrity closes exactly this gap: it lets the browser refuse to execute a script whose fetched content does not match a cryptographic hash pinned at authorization time.
12
+
13
+ ## PCI-DSS v4 grounding (standard-based)
14
+
15
+ **6.4.3 — Script Inventory, Authorization & Integrity Control:**
16
+
17
+ - All scripts loaded on payment collection pages must be inventoried and approved.
18
+ - Scripts must be authorized before loading (script authorization).
19
+ - Integrity verification is required via Subresource Integrity (SRI) or an equivalent cryptographic verification mechanism (e.g., a SHA-256 hash).
20
+
21
+ **11.6.1 — Change Detection on Payment Pages:**
22
+
23
+ - Automated change-detection/alerting mechanisms are required for unauthorized code additions or modifications to payment pages.
24
+ - This is intended to detect malicious script injections, DOM tampering, and compromise attempts in near-real time, independent of the SRI control above.
25
+
26
+ Both of these are standard requirement citations (`standard-based`) — this skill can confirm from frontend code whether SRI is present on a given script tag, but it cannot confirm from static frontend review alone whether a merchant has an operating script-inventory/authorization *process* or a functioning 11.6.1 change-detection deployment. Note any such gap as an open question rather than asserting non-compliance.
27
+
28
+ ## Defect class: `unsigned-third-party-script`
29
+
30
+ Third-party script loaded without Subresource Integrity.
31
+
32
+ - **Dangerous:**
33
+ ```html
34
+ <script src="https://cdn.example.com/analytics.js"></script>
35
+ ```
36
+ No `integrity` attribute means the browser will execute whatever content the CDN serves at request time, with no cryptographic check against what was reviewed/authorized.
37
+ - **Safe:**
38
+ ```html
39
+ <script src="https://cdn.example.com/analytics.js"
40
+ integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh76tviuROE="
41
+ crossorigin="anonymous"></script>
42
+ ```
43
+ The `integrity` attribute pins a SHA-256 (or SHA-384/SHA-512) hash; the browser refuses to execute the script if the fetched bytes don't match. `crossorigin="anonymous"` is required alongside `integrity` for cross-origin script resources so the browser can perform the integrity check.
44
+ - **Verification targets:** Grep every `<script src="...">` tag rendered on a payment-collection page (including scripts injected via a tag-manager snippet, if visible in source) for the presence of an `integrity` attribute. A same-origin/first-party script (served from the merchant's own domain) is lower risk but still benefits from SRI if served via a CDN in front of first-party assets; the primary finding target is third-party origins.
45
+ - A missing `integrity` attribute on a third-party script on a payment page is a HIGH finding regardless of the vendor's reputation — reputation is not a substitute for script authorization and integrity verification under 6.4.3.
46
+
47
+ ## SAQ-A scope reduction (standard-based)
48
+
49
+ SAQ-A is the PCI-DSS self-assessment questionnaire for merchants that have **fully outsourced** all cardholder data collection and processing to a PCI-validated third party (e.g., Stripe), such that the merchant's own systems never store, process, or transmit cardholder data and never touch it even transiently in the browser.
50
+
51
+ For a payment page's frontend architecture to plausibly support an SAQ-A claim:
52
+
53
+ - Every card field (PAN, expiry, CVV) must be collected exclusively via Stripe hosted fields (`CardNumberElement`/`CardExpiryElement`/`CardCVCElement`) or the unified `PaymentElement` — no manual `<input>` anywhere in the flow (would otherwise be a `raw-pan-input`/`missing-iframe-isolation` finding).
54
+ - No client-side persistence of raw cardholder data anywhere in the flow (would otherwise be a `card-data-persistence` finding).
55
+ - No first-party POST of raw card fields anywhere in the flow — only tokens/PaymentIntent/PaymentMethod IDs cross to the first-party server (would otherwise be a `self-posted-card-data` finding).
56
+
57
+ This skill can confirm the frontend evidence for or against these three conditions. It **cannot** confirm the merchant's actual SAQ-A eligibility determination or attestation — that is a compliance/assessor decision that also depends on the merchant's payment page hosting model (e.g., whether the payment page itself is served from PCI-relevant infrastructure) and other SAQ-A eligibility criteria outside this skill's frontend-only scope. Label any SAQ-A-adjacent conclusion `standard-based` and explicitly note the full-audit exclusion.
58
+
59
+ ## Adversarial checklist
60
+
61
+ Before clearing a payment page's script surface:
62
+
63
+ - Does every third-party `<script src="...">` on the page carry an `integrity` attribute with a `sha256-` (or stronger) hash and a `crossorigin` attribute?
64
+ - Is there any script loaded dynamically (via `document.createElement('script')` or a tag-manager container) that bypasses static `integrity` attribution entirely? Flag this as a distinct, harder-to-verify risk — dynamically injected scripts cannot carry a static `integrity` attribute in the same way, and the review should note this as an open question requiring the tag-manager's own vendor controls to be checked separately.
65
+ - If asked about SAQ-A: do all three frontend conditions above hold, with no raw-PAN, persistence, or self-posted-data findings anywhere in the reviewed flow?
66
+ - Is there any observable client-side change-detection or integrity-monitoring code on the page (relevant to 11.6.1), or is this an open question requiring server/ops-side confirmation?
@@ -0,0 +1,52 @@
1
+ # Review Workflow and Findings Contract
2
+
3
+ Use this reference for the step-by-step review procedure and the required output shape. Load the other two references only for the specific defect class the payment page under review actually raises.
4
+
5
+ ## Prerequisites
6
+
7
+ - Confirm the page under review actually collects or handles cardholder data: a checkout form, a saved-card management page, or any page that loads Stripe.js or renders card-entry fields. If no such page exists in scope, this skill does not apply.
8
+ - Identify the Stripe integration shape in use: `@stripe/stripe-js` + `Elements` (`CardNumberElement`/`CardExpiryElement`/`CardCVCElement`), the unified `Payment Element`, or a legacy/custom card-collection integration. The safe idiom and the specific API calls to verify differ by shape.
9
+ - Remember the scope boundary throughout: this is a **frontend-only** PCI-DSS review. Do not extend findings into server-side cardholder-data-environment segmentation, network firewalling, key management, or encryption-at-rest — those require a dedicated infrastructure/compliance review and are out of scope here.
10
+
11
+ ## Workflow
12
+
13
+ 1. **Locate every card-entry surface.** For each checkout/payment form, identify whether card number, expiry, and CVV are collected via Stripe hosted fields (`CardNumberElement`, `CardExpiryElement`, `CardCVCElement`, or `PaymentElement`) or via manual `<input>` elements. See `references/hosted-fields-and-tokenization.md` for the `raw-pan-input` and `missing-iframe-isolation` decision tree.
14
+ 2. **Trace client-side persistence and analytics calls.** Grep for `localStorage.setItem`, `sessionStorage.setItem`, in-memory app `store` writes, and analytics/logging calls (`analytics.track`, `console.log`, error-reporting SDK calls) reachable from the payment form's state. For each, inspect the shape of the persisted/logged object for PAN, CVV, or other cardholder data fields. See `references/hosted-fields-and-tokenization.md` for the `card-data-persistence` decision tree.
15
+ 3. **Trace network calls from the payment form.** For each `fetch`/`XMLHttpRequest`/form submission triggered by the payment form, determine whether raw card fields (PAN, CVV, expiry) are POSTed directly to a first-party endpoint, or whether a Stripe tokenization call (`stripe.createToken(cardElement)`, `stripe.confirmPayment()`, `stripe.confirmCardPayment()`) runs first and only the resulting token/PaymentIntent/PaymentMethod ID is POSTed. See `references/hosted-fields-and-tokenization.md` for the `self-posted-card-data` decision tree.
16
+ 4. **Enumerate every script tag loaded on the payment page.** For each third-party `<script src="...">`, check for an `integrity` attribute (Subresource Integrity) and a `crossorigin` attribute. See `references/script-integrity-and-scope.md` for the `unsigned-third-party-script` decision tree.
17
+ 5. **Assess SAQ-A scope-reduction plausibility (if asked).** If the user asks about SAQ-A eligibility, check whether card data collection is fully outsourced to Stripe hosted fields/Payment Element with no raw card data ever touching the merchant's own JavaScript or servers. See `references/script-integrity-and-scope.md`.
18
+ 6. **Produce ranked findings** using the output contract below.
19
+
20
+ ## Decision tree
21
+
22
+ - Card number/expiry/CVV collected via a manual `<input>` element (e.g., `<input type="text" id="cardnumber" />`) with application JS reading `.value` → **HIGH** finding, `raw-pan-input` and `missing-iframe-isolation`. The safe pattern is `<CardNumberElement />`/`<PaymentElement />`.
23
+ - Card number/expiry/CVV collected via `<CardNumberElement />`, `<CardExpiryElement />`, `<CardCVCElement />`, or `<PaymentElement />` → not a finding; these are Stripe's iframe-rendered hosted fields, and the browser's same-origin policy prevents merchant JS from reading iframe content.
24
+ - A `localStorage`/`sessionStorage`/store/analytics call persists an object containing PAN, CVV, or full card data (even if named generically, e.g. `paymentInfo`) → **HIGH** finding, `card-data-persistence`. The safe pattern persists only a tokenized `paymentMethod` ID.
25
+ - A `localStorage`/`sessionStorage`/store/analytics call persists only a Stripe token, PaymentIntent ID, or PaymentMethod ID (no raw card fields) → not a finding.
26
+ - A first-party POST body is constructed from raw card fields (`pan`, `cardNumber`, `cvv`, `exp`) without a preceding Stripe tokenization call → **HIGH** finding, `self-posted-card-data`.
27
+ - A first-party POST body is constructed from a Stripe token (`token.id`) or PaymentIntent/PaymentMethod confirmation result, with the tokenization call (`stripe.createToken`, `stripe.confirmPayment`, `stripe.confirmCardPayment`) preceding it on the same path → not a finding.
28
+ - A third-party `<script src="...">` on the payment page has no `integrity` attribute → **HIGH** finding, `unsigned-third-party-script` (PCI-DSS v4 6.4.3, standard-based).
29
+ - A third-party `<script src="..." integrity="sha256-..." crossorigin="anonymous">` on the payment page → not a finding.
30
+ - User asks about SAQ-A scope reduction and card collection is fully outsourced to Stripe hosted fields/Payment Element with no raw card data touching merchant JS or servers → plausible SAQ-A alignment, label `standard-based`, and note this skill does not verify the merchant's full SAQ-A questionnaire or attestation status.
31
+ - User asks about SAQ-A scope reduction and any `raw-pan-input`, `card-data-persistence`, or `self-posted-card-data` finding is present → SAQ-A eligibility is not plausible on the frontend evidence reviewed; flag the specific defect blocking it.
32
+
33
+ ## Output contract
34
+
35
+ Every response from this skill must return:
36
+
37
+ 1. **Scope** — the payment-collection page(s), card-entry form markup, script tags, and/or client-side persistence/network calls reviewed.
38
+ 2. **Ranked findings** — each with file:line, defect category (`raw-pan-input` / `card-data-persistence` / `self-posted-card-data` / `unsigned-third-party-script` / `missing-iframe-isolation`), the concrete data-flow trace (the raw input read, the persistence/analytics call, the POST body construction, or the missing integrity attribute), and a fix sketch matching Stripe's documented pattern.
39
+ 3. **Iframe-isolation status per PAN/CVV-handling finding** — an explicit statement of whether the value stays inside a Stripe-controlled iframe (safe) or is reachable by merchant JavaScript (unsafe); never infer isolation exists without tracing it.
40
+ 4. **Evidence level per finding** — `repo evidence`, `documentation-based`, `standard-based`, or `inference`. Label structural risk findings as structural risk — do not imply confirmed exploitation or confirmed non-compliance without live evidence (e.g., a captured network trace, an actual PCI assessor finding).
41
+ 5. **Verdict** — approve / approve-with-notes / block.
42
+ 6. **Open questions or out-of-scope items** — always restate explicitly that this is not a full PCI-DSS audit: server-side CDE segmentation, network controls, key management, and non-script requirement families are out of scope.
43
+
44
+ ## When to push back
45
+
46
+ Push back if the user asks to:
47
+
48
+ - approve a raw `<input>` card field because "we sanitize/mask it before sending" — masking display does not change that raw PAN/CVV briefly exists in merchant-readable DOM/JS state; only Stripe's iframe-isolated hosted fields keep it out of merchant JS entirely,
49
+ - treat a third-party script as safe because "it's from a reputable vendor" without a visible `integrity` attribute — vendor reputation is not equivalent cryptographic verification under PCI-DSS v4 6.4.3,
50
+ - skip the client-side persistence check because "we only store it in memory, not localStorage" — an in-memory app `store` holding raw PAN/CVV is still a `card-data-persistence` finding if it is reachable by other application code, logging, or a crash-reporting SDK,
51
+ - call a page "SAQ-A eligible" solely because it uses Stripe.js somewhere on the page — SAQ-A eligibility requires that raw card data never reaches merchant-controlled JS or servers at all; a page that uses Stripe.js for one flow but also POSTs raw card fields elsewhere does not qualify,
52
+ - treat this review as a full PCI-DSS compliance sign-off — this skill covers only the frontend script/tokenization slice; state the full-audit exclusion explicitly in every response.
@@ -0,0 +1,87 @@
1
+ ---
2
+ name: product-analytics-experimentation-review
3
+ description: Review frontend analytics instrumentation and A/B or multivariate experiment configurations for event-schema correctness, sample-ratio-mismatch risk, statistically valid stopping rules, and consent-gated privacy compliance before shipping a tracking or experiment change.
4
+ allowed-tools: Read Grep Glob WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: data
10
+ ---
11
+
12
+ # Product Analytics & Experimentation Review
13
+
14
+ ## Purpose
15
+
16
+ Analytics and experimentation code looks low-risk (it doesn't change what users see) but is exactly where silent, expensive failures accumulate: schema drift that zeroes a KPI dashboard for weeks, sample-ratio mismatch that invalidates a whole test, and unconsented tracking that creates real compliance exposure. This skill exists to apply a measurement-integrity and privacy review before ship, not after a stakeholder notices the dashboard looks wrong.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review new or changed analytics event instrumentation for schema correctness,
23
+ - validate an A/B or multivariate experiment's bucketing logic and statistical plan before launch,
24
+ - audit whether tracking calls are properly consent-gated for privacy compliance,
25
+ - diagnose a suspected sample-ratio mismatch or an experiment result that looks statistically implausible.
26
+
27
+ ## When NOT to use
28
+
29
+ - Reviewing Core Web Vitals or general RUM/tracing instrumentation with no experiment or event-schema angle — hand off to `frontend-observability-rum-instrumentation`.
30
+ - Reviewing generic security/XSS/CSP posture of a page — hand off to `frontend-dom-xss-csp-review`; this skill only reviews the analytics/experimentation-specific privacy surface (consent gating and PII-in-events), not the broader page security model.
31
+ - Choosing a state-management or component-architecture pattern with no analytics or experiment angle — out of scope.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ Analytics vendor SDKs (GA4/gtag.js, feature-flag/experimentation platforms) change event-parameter names, consent-mode signal shapes, and SDK method signatures across versions, and memorized snippets go stale fast. Before making any platform-specific claim:
36
+
37
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
38
+ 2. Call `mcp__Context7__resolve-library-id` for the specific analytics/experimentation library actually imported in the code under review (e.g. the GA4/`gtag.js` SDK, a specific feature-flag/experiment SDK) before describing its event or bucketing API. Do not assume GA4 by default — verify the platform from the actual `import`/script-tag evidence first.
39
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism in scope — e.g. "GA4 recommended event parameters for purchase event", "Google Consent Mode v2 signal defaults", "GA4 measurement protocol event schema limits" — before ruling on it. Verified library ID for web.dev platform guidance as of this skill's `updated` date: `/websites/web_dev_articles`.
40
+ 4. Known facts verified via Context7/web.dev as of this skill's `updated` date: web.dev documents sending `web-vitals` metrics to GA4 via `gtag('event', 'web_vitals', {...})` with `name`/`value`/`delta`/`id`/`label` fields, and shows GA4 BigQuery-export event tables keyed by `event_name`/`event_params`/`event_timestamp`/`user_pseudo_id` — treat any schema claim about GA4's exported event shape as needing this structure, not an invented one. web.dev's Permissions API guidance (`permissions-best-practices`) documents `navigator.permissions.query({name: ...})` returning a `state` of `granted`/`denied`/`prompt`, and states permission grants are scoped per-origin (a grant on one origin does not transfer to a subdomain/different origin) — apply the same non-transferability logic when reasoning about consent scope across subdomains.
41
+ 5. If Context7 is unavailable or returns no relevant match, fall back to `official_docs` / `references/*.md` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
42
+ 6. Never invent an analytics event-parameter name, consent-mode signal name, or experimentation-platform API that no queried source confirms.
43
+
44
+ ## Lean operating rules
45
+
46
+ - Identify the actual analytics/experimentation platform in use from the imported SDK or script tag before citing platform-specific behavior — do not assume GA4 or any specific vendor by default.
47
+ - Verify that bucketing/assignment logic is deterministic per user (stable hash/seed keyed to a persistent identifier), not re-randomized on refresh, session change, or page reload — this is the single most common cause of invalid experiment results and a leading cause of sample-ratio mismatch.
48
+ - Verify consent gating is enforced at the call site of the tracking function itself, not merely present somewhere else on the page — a consent banner existing does not mean a specific event call respects it; trace the actual conditional guarding the SDK call.
49
+ - Flag any event schema field that could carry PII (free-text fields, email, precise geo/lat-long, payment data, raw URLs with query strings, user-typed search terms) for hashing/redaction before approving.
50
+ - Require a pre-registered primary metric and minimum detectable effect (MDE) for any experiment reviewed; treat their absence as a blocking finding, not a nice-to-have — an experiment analyzed after the fact against whichever metric moved is not a valid test.
51
+ - Treat any observed sample split materially off the configured ratio (e.g. configured 50/50 showing as 46/54 or further at meaningful volume) as a sample-ratio-mismatch candidate requiring a chi-squared check, not a rounding artifact to wave off.
52
+ - Load `references/srm-and-bucketing-integrity.md` only when auditing assignment/bucketing logic or diagnosing a suspected sample-ratio mismatch.
53
+ - Load `references/consent-and-pii-in-events.md` only when reviewing privacy/consent compliance of tracking calls or event payload PII exposure.
54
+ - Load `references/stopping-rules-and-peeking.md` only when evaluating whether an experiment's statistical significance claim or stop/continue decision is valid.
55
+ - This skill performs static review only; it does not execute experiment code, query a live analytics backend, or flip a feature flag / experiment configuration in production.
56
+
57
+ ## Privacy & Consent Depth for Analytics
58
+
59
+ The generic consent/PII posture above (banner presence is not compliance, check the call site) covers the baseline. Some tracking changes need standard-specific depth: IAB TCF v2.2 purpose-granular consent, Google Consent Mode v2's default-denied timing requirement, and adjacent surfaces (Global Privacy Control/Do-Not-Track, cookie categorization, analytics-endpoint data residency) that a generic consent check can miss.
60
+
61
+ - **Consent Mode v2 defaults must be synchronous and denied-by-default** (doc-based, Google Consent Mode v2 docs): `gtag('consent', 'default', {analytics_storage: 'denied', ad_storage: 'denied', ad_user_data: 'denied', ad_personalization: 'denied'})` must be set at the top of the page, before the gtag.js/GTM snippet loads and before any `gtag('event', ...)` call — not inside a CMP callback or an async-loaded script. A later `gtag('consent', 'update', ...)` call once the user answers the CMP does not retroactively fix a missing or async default; tags may already have fired under an undefined/permissive state.
62
+ - **IAB TCF v2.2 consent is granular per purpose and per vendor, not a single flag** (standard-based inference from the TCF spec): a compliant check validates a specific `(vendorId, purposeId)` grant from the decoded TC string — "a TC string cookie exists" is presence, not scope. A vendor consented for one purpose (e.g. measurement) is not automatically consented for another (e.g. personalized ads).
63
+ - **Any tracking call — pixel, `gtag`, `sendBeacon`, `fetch` — that fires before a consent signal exists is unrecoverable exposure**: unlike a suppressed JS event, an HTTP request (and any PII in its query string or body) cannot be un-sent once it leaves the client.
64
+ - **PII in event properties is a violation independent of consent state**: consent governs whether tracking may happen, not what may be sent once it does — a consented-but-PII-laden event (raw email, full name, unhashed user ID) is still a data-minimization failure.
65
+ - **Cookies set without a declared category or an explicit expiry cannot be honored by a CMP** — flag any analytics/marketing cookie missing `Max-Age`/`Expires` or a category mapping.
66
+ - **Global Privacy Control (`navigator.globalPrivacyControl`) and Do-Not-Track (`navigator.doNotTrack`) must be checked as an opt-out signal alongside explicit CMP consent**, not replaced by it.
67
+ - **Analytics-endpoint data residency must be identified, not assumed** — note the destination host/region for each analytics call and flag payloads sent to a default/global endpoint when a residency-scoped endpoint is expected.
68
+ - Load `references/privacy-consent-depth-for-analytics.md` when a review needs this standard-specific depth (Consent Mode v2 timing, TCF purpose/vendor granularity, GPC/DNT, cookie categorization, data residency) rather than the general consent/PII check alone.
69
+
70
+ ## References
71
+
72
+ Load these only when needed:
73
+
74
+ - [SRM and bucketing integrity](references/srm-and-bucketing-integrity.md) — use to verify deterministic, unbiased user assignment and to diagnose a suspected sample-ratio mismatch.
75
+ - [Consent and PII in events](references/consent-and-pii-in-events.md) — use to verify tracking calls are consent-gated and event payloads do not leak PII.
76
+ - [Stopping rules and peeking](references/stopping-rules-and-peeking.md) — use to evaluate whether an experiment's significance claim is valid given its actual monitoring/stopping behavior.
77
+ - [Privacy and consent depth for analytics](references/privacy-consent-depth-for-analytics.md) — use for IAB TCF v2.2 purpose/vendor granularity, Google Consent Mode v2 default-timing requirements, GPC/Do-Not-Track honoring, cookie categorization/expiry, and analytics-endpoint data residency.
78
+
79
+ ## Response minimum
80
+
81
+ Return, at minimum:
82
+
83
+ - the analytics/experimentation platform identified and the docs used to verify its behavior,
84
+ - schema-correctness verdict against the documented data contract,
85
+ - SRM/bucketing-integrity verdict,
86
+ - consent-gate and PII findings,
87
+ - statistical-validity verdict (pre-registered metric/MDE present, stopping rule sound) with evidence level.
@@ -0,0 +1,29 @@
1
+ {
2
+ "id": "product-analytics-experimentation-review",
3
+ "name": "Product Analytics & Experimentation Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews frontend analytics instrumentation and A/B/multivariate experiment setups for event-schema correctness, sample-ratio-mismatch risk, valid statistical stopping rules, and consent-gated privacy compliance before an experiment or tracking change ships.",
15
+ "source_type": "adapted",
16
+ "official_docs": [
17
+ "https://web.dev/articles/vitals-business-impact",
18
+ "https://developers.google.com/analytics/devguides/collection/ga4",
19
+ "https://gdpr.eu/cookies/",
20
+ "https://www.w3.org/TR/permissions/",
21
+ "https://developers.google.com/tag-platform/security/guides/consent",
22
+ "https://iabeurope.eu/iab-europe-transparency-consent-framework/"
23
+ ],
24
+ "security_notes": "Require consent-gate verification before any non-essential tracking call is approved; require PII scrubbing/hashing review on every new event schema field before it is marked shippable. Also check IAB TCF v2.2 purpose/vendor-granular consent, Google Consent Mode v2 synchronous default-denied timing, GPC/Do-Not-Track honoring, cookie categorization/expiry, and analytics-endpoint data residency. Read-only static review; does not execute experiment code, query a live analytics backend, or change a live feature-flag/experiment configuration.",
25
+ "last_verified": "2026-07-03",
26
+ "path": "skills/frontend/product-analytics-experimentation-review",
27
+ "author": "github: Raishin",
28
+ "version": "0.1.0"
29
+ }